ICNA

Iranian Cyber News Agency

    • Charming Kitten

    Helix Kitten

    ICNA Posted on

    List of names used by the industry:

    • APT34
    • OilRig
    • Crambus
    • Cobalt Gypsy
    • Hazel Sandstorm
    • EUROPIUM
    • Scarred Manticore
    • Greenbug
    • TA452
    • Evasive Serpens
    • ITG13
    • IRN2
    • Earth Simnavaz

    Sub group: Lyceum (also known as HEXANE, Storm-0133, SiameseKitten)

    Date founded:

    Active since at least 2014.

    Affiliation:

    Iranian state-sponsored. Affiliated to Iran’s Ministry of Intelligence and Security (MOIS). Operations primarily to conduct cyber espionage against Middle Eastern targets.

    Social media handles/websites:

    N/A

    Previous operations:

    Researchers believe that the group has been active since 2014 with their first campaign being conducted in late 2015 against the Saudi Arabian defense industry. This campaign appeared to use fake job offers as a social engineering vector.

    • In May 2016, the group were observed conducting targeted attacks against financial institutions and technology organizations in Saudi Arabia. The threat actors conducted spear-phishing attacks claimed to be legitimate service providers offering service and technical troubleshooting. The attacks delivered a backdoor called “Helminth” either via an Excel macro (delivered via email with a malicious Excel spreadsheet attached – these targeted Saudi Arabian financial organizations) or as a standalone executable (possibly delivered via Zip folder as part of the attacks targeting the Saudi Arabian defense industry).
    • In Summer 2026, the group were attributed to an expansion of attacks to include more organizations in Saudi Arabia as well as a companies in Qatar and government organizations in Turkey, Israel and the United States. The group updated their “Helminth” backdoor and delivery toolset as they expanded their target set. The earliest variant of “Helminth” dated back to April 2016. This activity is also sometimes known as the Greenbug Campaign.
    • In 2017, the group were identified using various exploits to target various organizations in the Middle East. In July, they were observed using a PowerShell-based backdoor called “POWRUNER” and a downloader called “BONDUPDATER”. They were also identified to have targeted another technology organization using a variant of the ISMDoor Trojan with a significant modifications known as ISMAgent. This variant was used to maintain persistence on target networks. This payload was seen to be delivered by a malicious delivery document known as “ThreeDollars”. In November, the group leveraged an exploit for a recently patched Microsoft Office vulnerability to target a government organization in the Middle East with the same backdoor and downloader.
    • In 2018, the group significantly diversified their operations. In January the group were identified targeting a Middle Eastern insurance company and a financial institution. The threat actors attempted to deploy a new Trojan dubbed “OopsIE” using the previously seen “ThreeDollars” malicious Microsoft Word document. The group continued to use the OopsIE trojan with variations throughout 2018.
    • The group also started a long-running espionage campaign codenamed “Out to Sea” by the Slovak cybersecurity company ESET. The victims of this campaign included diplomatic organizations, technology companies and medical organizations in Israel, Tunisia and the United Arab Emirates. Some researchers link this campaign to a sub-group of APT34 known as Lyceum.
    • In November 2018, the DNSpionage malware campaign was uncovered targeting the Middle Eastern region, including Lebanon and the UAE. Individuals were targeted using malicious payloads delivered to targets via LinkedIn messages and compromised sites. The DNSpionage malware is a custom remote administrator tool that uses the HTTP and DNS protocols to communicate with attacker controlled command and control servers.
    • In March 2019, the group’s tools and data from their victims was leaked on Telegram by a group called Lab Dookhtegan. Researchers confirmed the authenticity of the leaked source code which was fools tools including: Glimpse and PoisonFrog (also known as BONDUPDATER) HyperShell, HighShell, FoxPanel and Webmask. The latter being the main tool behind the DSNpionage campaign used for DNS tunnelling. The leak also contained data from 66 victims (mainly from countries in the Middle East, but also Africa, East Asia and Europe). Iranian Ministry of Intelligence and Security (MOIS) officers were doxxed as they were allegedly involved in the group’s operations.
    • In June 2019, the group deployed a malware family known as “ToneDeaf” against a range of companies operating in the Middle East. As part of these attacks, Mandiant identified that the group were using a persona alleging to be a research individual at Cambridge University in order to build trust. The payload was also distributed via a link shared on LinkedIn. The group continued adopting and evolving their toolsets with the release of the “Karkoff” implant which allowed remote code execution from the command and control server. One of the regions targeted by Karkoff was Lebanon. Karkoff included increased obfuscation techniques highlighting the group increasingly attempting to avoid detection. Researchers saw Karkoff as a stabe next-stage development of the POWRUNER implant.
    • By 2020, the group’s activities moved into a new phase. Following the LabDookhtegan leaks they moved away from noisy accesses to more compiled and modular backdoors and increased sophistication in their command and control comms. In January 2020, researchers identified the group had conducted a highly targeted attack against Westat, a US-based company providing research services to various government agencies. The delivery mechanism was a customised Excel sheet with malicious macros this in turn deploys a modified, significantly more stealthy, version of the ToneDeaf malware. The attack also used a new version of the VALUEVAULT credential harvester implant.
    • In July 2020, the group were identified to be conducting attacks against a Middle Eastern telecommunications organization using a tool called RDAT that relied on steganography to hide commands and data within bitmap images as part of its email-based command and control strategy. RDAT was first linked to the group in 2017 but has multiple variations relying on different services for C2 comms.
    • Since 2021, the group’s activities can be more distinctly separated into different mission cells operation different campaigns. The core group have been linked to the SideTwist campaign running from 2021 to 2023. In April 2021, the group targeted a range of Lebanese entities using the SideTwist backdoor delivered following standard TTPs of spear-phishing. SideTwist hadn’t previously been used by the group but its functionality was similar to previous backdoors such as DNSpionage and ToneDeaf. Interestingly, persistence is achieved through the 1st stage macro rather than SideTwist containing a persistence mechanism of its own. Over the next few years SideTwist became the default for non-Israel and non-special operations. A SideTwist attack in September 2023 was also linked to the group.
    • Researchers at ESET noted the development of an Israel-focused cell within the group. In 2021 and 2022, this cell targeted a variety of Israeli organizations across two different campaigns. These campaigns were called OuterSpace and Juicy Mix. The attacks used two first-stage backdoors called Solar and Mango which collect sensitive infromation from major browers and the Windows Credential Manager. Researchers concluded that the backdoors were deployed from VBS droppers, presumably spread via spear-phishing emails.
    • In the Outer Space campaign (2021), the group compromised an Israeli human resources site and used it as a command and control server for Solar, their C#/.NET backdoor. Solar is also used to deploy the SampleCheck5000 downloader. This campaign was determined to focus on precision espionage. The cell improved the following year with their Juicy Mix Campaign (2022), the group used Mango, an updated version of Solar with additional features and obfuscation methods. The group once again compromised a legitimate Israeli website (a job portal site) to use as a command and control server.
    • The core group continued to perform other attacks across 2021 and 2022 targeting other government organizations across the middle east. These attacks used backdoors including Karkoff, Shark and Marlin. In May 2022, the core group were attributed to a campaign targeting Jordan’s foreign ministry using spear-phishing. The attacks were linked by the use of a backdoor called “Saitama”. This is a .Net based malware that uses DNS for its command and control and relies on an Excel macro to create persistence through a scheduled task.
    • Unusually, in July 2022 the group were attributed to a wave of destructive ransomware and wiper attacks against the Albanian government. This was a complete shift from the groups traditional cyber-espionage focus and remains the only sabotage campaign ever attributed to the group.
    • Continuing into 2023, the ESET team identified that the group deployed three downloader malware variants in order to maintain persistent access to Israeli victim organizations. The victims included a healthcare company, a manufacturing company, and a local government organization. The attacks were analyzed by Slovak cybersecurity researchers working for ESET. The researchers named the downloaders ODAgent, OilCheck, and OilBooster. The attacks also used an updated version of a known downloader dubbed SampleCheck5000. The researchers highlighted that the downloaders were notable for using one of several legitimate cloud service APIs for command and control: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API. This tradecraft is to help disguise the group’s attack infrastructure and blend their traffic with authentic network traffic.
    • In 2023, the core group continued their usual operations with a campaign targeting a variety of government organizations in the Middle East with a PowerShell backdoor. The group conducted a campaign using the PowerExchange backdoor. The attackers monitored and pulled back emails, and deployed further backdoors and keyloggers. Researchers identified that the group used the publicly available network admin tool Plink to configure port-forwarding rules allowing remote access via Remote Desktop Protocol (RDP). The group also targeted more organizations in the telecommunications sector.
    • The group also used the LIONTAIL framework (a set of custom loaders and memory-resident shellcode payloads). Researchers noted that the multiple variants of LIONTAIL associated malware suggested the group generate tailor-made implants for each compromised server, helping their activities to blend in with legitimate network traffic. The group also used an updated variant of SideTwist to target a victim in Saudi Arabia. The phishing theme for this attack used a fake license registration form from an African government agency.
    • In 2024, an extensive attack was discovered against Iraqi governmental networks. Researchers with Trend Micro highlighted a rise in the group’s activities targeting infrastructure in the Middle East and noted the deployment of yet another new backdoor. The new toolset targets on-premises Microsoft Exchange servers. A remote monitoring and management (RMM) tool known as ngrok has also been observed in their operations.
    • Since 2025, the group has allegedly been conducting more cyber espionage campaigns against energy and defense companies across Europe and the Middle East. The attacks have been using compromised Microsoft 365 and Azure persistence demonstrating a continued increase in Cloud capability.

    Tactics/Techniques/Tradecraft/Procedures (TTP’s):

    • Initial access is almost always through highly targeted social engineering such as spear-phishing emails with malicious attachments or malicious links shared via social media.
    • Payload delivery historically was through malicious Microsoft macros alongside the use of VBS droppers.
    • Use of customized .NET tools and PowerShell scripts designed for specific target environments make the group’s operations challenge for conventional security solutions to identify. These tools enable operational flexibility while remaining undetected.
    • Exploitation of published CVEs to enable privilege escalation.
    • Using Microsoft Exchange servers for credentials theft.
    • Persistence is often achieved through scheduled tasks (either at the downloader or backdoor phase), or publicly used tools such as Plink and ngrok.
    • A key characteristic of group’s operations is their use of specialized, continuously refined command and control mecahnisms. For example, custom DNS tunnelling and email-based channels leveraging compromised accounts. The group also commonly use legitimate cloud service APIs (for example, Microsoft Graph OneDrive, and Microsoft Office Exchange Web Services).
    • The group use a variety of techniques for evasion including obfuscation and encoding within their source code, occurences of steganography for data exfiltration and the blending of C2 traffic with that of legimate cloud services.
    • The group exhibits some patterns, for example it is common for them to introduce a new set of lightweight .NET and PowerShell backdoors yearly that are rarely reused.
    • The group primarily targets government, energy, finance, and defense organizations across the Middle East. Since 2021 they have demonstrated a particular focus on targeting Israeli entities. They have also targeted European organizations (energy and defense sectors) and there is a known instance of them targeting a US-based company.
    • For detailes TTPs and IOCs see the articles from Unit41, ESET or the MITRE summary at attack.mitre.org/groups/G0049/

    People of interest that have been doxxed online/sanctioned:

    A number of officials allegedly working for the Iranian Ministry of Intelligence and Security (MOIS) were doxxed as being linked to the group in March 2019.

    Sources:

    Wikipedia.org/wiki/Helix_Kitten
    Thehackernews.com/2023/12/iranian-state-sponsored-oilrig-group.html
    Thehackernews.com/2023/09/iranian-nation-state-actor-oilrig.html
    Thehackernews.com/2023/02/iranian-oilrig-hackers-using-new.html
    Thehackernews.com/2019/04/karkoff-dnspionage-malware.html
    Thehackernews.com/2022/05/new-saitama-backdoor-targeted-official.html
    Unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor
    Unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets
    Levelblue.com/blogs/levelblue-blog/inside-apt34-oilrig-tools-techniques-and-global-cyber-threats
    Cloud.google.com/blogs/topics/threat-intelligence/targeted-attack-in-middle-east-by-apt34
    Unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan
    Zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram
    Blog.talosintelligence.com/dnspionage-brings-out-karkoff
    Unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure
    Unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography
    Research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal
    Cloud.google.com/blog/topics/threat-intelligence/hard-pass-decling-apt34-invite-to-join-their-professional-network
    Microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government
    Trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html
    Brandefense.io/blog/oilrig-apt-2025

    LEAVE A RESPONSE

    Your email address will not be published. Required fields are marked *

    ICNA
    View all posts